Field
Embodiments presented herein generally relate to techniques for managing security events, and more specifically, to techniques for detecting security incidents based on low confidence security events.
Description of the Related Art
Many enterprises (e.g., individuals, organizations, companies, etc.) employ some form of network security solution to help combat and/or prevent security threats. In some cases, for example, enterprises increasingly rely on outside security services (e.g., such as managed security service providers (MSSPs), and the like) to provide specialized computer and network services and/or employ security management tools (e.g., such as security incident and event managers (SIEMs), etc.) to help manage enterprise security operations. The increased use of MSSPs and SIEMs is due, in part, to increased costs associated with large computing infrastructures, a lack of security expertise, resource constraints, etc. For example, enterprise computing infrastructures typically include many computing systems, applications, networks, data storage system, etc., that are constantly subject to a wide variety of security threats and vulnerabilities. Further, enterprise computing infrastructures often employ a variety of security tools (e.g., firewalls, antivirus software, intrusion detection systems, intrusion prevention systems, etc.) to monitor computing systems and infrastructure. As a result, enterprises employ outside security services and/or security management tools to help monitor, detect, and prevent security threats.
Outside security services (such as MSSPs, etc.) can provide a portion or all of a client's security needs. Examples of typical functions performed by outside security services include: gathering, analyzing and presenting (to an analyst) information gathered from network and security devices; installing, managing, and/or upgrading network security equipment (e.g., firewalls, intrusion detection software, etc.); performing vulnerability scans; and other similar services. In some cases, SIEMs can be used by enterprises and/or MSSPs to help perform one or more of these functions. SIEMs, in general, are tools that aggregate product telemetry, usually from multiple vendors, into a common format to centralize security-related data and facilitate the creation of detection rules. Most SIEMs are managed by the enterprise's incident responders (e.g., security analysts), who create rules and monitor the system output to identify security incidents. However, in some cases, MSSPs can also use SIEMs to perform security incident detection. For example, in these cases, MSSPs can validate the output from SIEMs and then alert the enterprise's security analysts to a security incident.
In order to perform these network services, MSSPs and/or SIEMs typically have to collect and process huge amounts of information. For example, to detect security incidents, MSSPs and/or SIEMs generally have to process hundreds of thousands of types of security events and rely on manually-created rules to detect a security incident. These security incidents are then presented to security administrators, which are typically tasked with deciding whether to handle or resolve the security incidents. However, performing security incident detection in this manner often leads to many false-positive incidents. These false-positive incidents, when presented to security administrators, can overwhelm administrators with unnecessary and unhelpful information, and distract them from real security threats, which may in turn leave enterprise network systems vulnerable to attacks.